[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

3 hours ago, mika91 said:

Just for curiosity:

Is there any plan to extend swag container with native authelia and ldap server.

It would be an all-in-one easy solution for unraid with global users management and reverse proxy authentication.

 

I tried to achieve such a solution with swag + authelia + openldap + phpldapadmin, without success right now 😅

No it will not be an all in one.

Link to comment

Hello all,

 

I have gone through the entire setup to the point where accessing my domain "overseerr.mydomain.com" results in just the SWAG welcome page displaying, instead of launching the Overseerr login page.

 

Any idea what steps I may have missed?

 

Log file for docker included.

 

EDIT: per the norm, I misinterpreted a step, and figured out what I was doing wrong. I was missing the "conf" files that I thought I only needed to modify if changes were required.

Edited by carnivorebrah
Link to comment

Hi,

 

I am having an error getting SWAG to work following Spaceinvader's video. I am trying to get HTTP working so that I can access nextcloud, sonarr, etc outside of my network.

 

I have port forwarded my router ports 80 and 443 to 180 and 1443 respectively and listed those reports in Unraid for SWAG, but I get the following error when I try to create the certs. When I check whocanseeme.org, however, I am seeing a blocked port 80 and 443. I have already called my ISP and confirmed that they are not blocking the ports, so I'm not sure how to proceed. I am fairly new to this and have dome some research and was curious if it matters if my router's IP is the same as my public IP or not and how this relates to NAT. Currently my router's IP does not match my public IP when I look it up using whatsmyip, etc.

 

Domain: mydomain.com
Type: unauthorized
Detail: Invalid response from
http://mydomain.com/.well-known/acme-challenge/0OAvQT7bR4EqZoWAqvATD1_N6LTEeCUWQ1rpOsfhfiM
[199.188.201.227]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Screenshot_1.png

Screenshot_14.png

Link to comment
7 minutes ago, semicole said:

Hi,

 

I am having an error getting SWAG to work following Spaceinvader's video. I am trying to get HTTP working so that I can access nextcloud, sonarr, etc outside of my network.

 

I have port forwarded my router ports 80 and 443 to 180 and 1443 respectively and listed those reports in Unraid for SWAG, but I get the following error when I try to create the certs. When I check whocanseeme.org, however, I am seeing a blocked port 80 and 443. I have already called my ISP and confirmed that they are not blocking the ports, so I'm not sure how to proceed. I am fairly new to this and have dome some research and was curious if it matters if my router's IP is the same as my public IP or not and how this relates to NAT. Currently my router's IP does not match my public IP when I look it up using whatsmyip, etc.

 

Domain: mydomain.com
Type: unauthorized
Detail: Invalid response from
http://mydomain.com/.well-known/acme-challenge/0OAvQT7bR4EqZoWAqvATD1_N6LTEeCUWQ1rpOsfhfiM
[199.188.201.227]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Screenshot_1.png

Screenshot_14.png

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

Link to comment
Just now, saarg said:

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

When I check what’s my IP, I get my external IP address or WAN IP address. I’m struggling to figure out where my WAN is listed on my router page, is there another way to figure that out that may be easier.

 

I can post a better photo of the port forwarding, but yes I had changed 180 to 80 to try to troubleshoot, it’s correct now at 180, so my external ports are 80 and 443 and my internals are 180 and 1443 and going to the correct IP address of my server.

Link to comment
9 minutes ago, saarg said:

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

Scratch that, I was able to find my WAN address of my router and it does match my public IP, so I think I’m good there and I have the correct ports forwarded and have verified from my ISP that they do not block ports 80 and 443, so what should my next steps be?

Link to comment
12 hours ago, semicole said:

Scratch that, I was able to find my WAN address of my router and it does match my public IP, so I think I’m good there and I have the correct ports forwarded and have verified from my ISP that they do not block ports 80 and 443, so what should my next steps be?

Post the screenshot so we can see that your port forwards are correct and also the other info missing.

Link to comment

I setup swag for the first time last week, and successfully pointed my domain to my nextcloud instance, and have been able to access it remotely all week.

Today I changed my Edgerouter X for a Unifi Security Gateway (USG) so that I could manage everything from the one Unifi Controller interface (I already had two of their APs, so thought this would be neat).

After having a heck of a time today getting it up and adopted, I do now have a

Link to comment

I setup swag for the first time last week, and successfully pointed my domain to my nextcloud instance, and have been able to access it remotely all week via nextcloud.MYDOMAIN.COM*). I also set up a holding page (a single HTML file with an image) for my domain (without a subdomain).

Today I changed my Edgerouter X for a Unifi Security Gateway (USG) so that I could manage everything from the one Unifi Controller interface (I already had two of their APs, so thought this would be neat).

After having a heck of a time today getting it up and adopted, I do now have a running USG in my Unifi Controller.

I have also added my old DHCP reservation and Port Forwards.

But now to my problem relating to swag:

 

However, I just checked my domain via my phone (not connected to WiFi), and when I navigate to nextcloud.MYDOMAIN.COM it shows a cert error that it's self-signed. If I hit proceed, it takes me to a Unifi page that I believe is coming from my USG saying "Fatal error. There was an error handling your request. Please try again later."

WORSE YET though, is if I navigate to MYDOMAIN.COM it presents me (and anyone else on the internet) with my Unraid login screen!

I disabled the port forwards in USG, but the login screen remained, so I've shutdown swag, and it now doesn't appear when I navigate to that page.

 

Does anyone have ANY idea what's going on, and how I can fix it?

 

*not my actual domain for reasons that should be obvious with the problem I'm currently facing

 

OMG 🤦‍♂️ I just realised that when I set up the port frowarding on the USG, I accidentally had 80 > Unraid:80, and 443 to Unraid:443, rather than 80 > Unraid:180 and 443 > Unraid:1443. Classic.

All seems to be working as it should now. Nevermind!

Edited by jademonkee
Realising the error of my ways
Link to comment
cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=duckdns.org
SUBDOMAINS=CHANGED
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
[email protected]
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d CHANGED.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for CHANGED.duckdns.org
Performing the following challenges:
http-01 challenge for CHANGED.duckdns.org
Waiting for verification...
Challenge failed for domain CHANGED.duckdns.org
http-01 challenge for CHANGED.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: CHANGED.duckdns.org
Type: connection
Detail: Fetching
http://CHANGED.duckdns.org/.well-known/acme-challenge/wkC33SQDnnXlUZuzXOIm63eO2kVOV1QUvw5tmZahyA0:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I used an nginx container with the same ports and its shows the default nginx page so its not pfsense.

Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: [email protected]

image.thumb.png.2108c664b39e4d29db4d73aadf8161ac.png

 

I have been mucking about with changing from proxynet to host in swag itself.

Is there a limit on how many times you can do this regarding getting new certs?

 

ow and everything has been running great this week since I installed it on monday.

I am just asking if there is limitation ,DDOS protection or I dunno. something that would explain why now its not working :)

 

any help is appreciated greatly. its been a frustrating 6 hours so its time for bed.

Edited by BelgarionNL
Link to comment
5 minutes ago, strike said:

Yes, I don't remember what the limit is but for testing you should enable staging then the limit will be much higher.

 

I hope someone can say if this connection refused is regarding me hitting that limit or if its something else.

but I appreciate you telling me that there is at least a limit! this is helpful.

 

ow and I tried staging. it gave me the same or similar error. but then with an not signed cert or something.

Edited by BelgarionNL
Link to comment
10 minutes ago, BelgarionNL said:

 

I hope someone can actually say if this connection refused is regarding me hitting that limit or if its something else.

If it was working before and you have not changed the port forwarding it's probably because you're hitting the limit. Here you can see what the limits is: https://letsencrypt.org/docs/rate-limits/

 

Edit: Maybe check the let's encrypt log if it has any more info.

Edited by strike
Link to comment
3 minutes ago, BelgarionNL said:

dont think so since I am not getting this message: too many certificates already issued

 

plus I have only changed it like 10 times max. not hitting the 50 as of yet :)

What does the letsencrypt log say? it's located in your appdata folder letsencrypt/log/letsencrypt

 

Quote

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.

 

Link to comment
8 hours ago, strike said:

What does the letsencrypt log say? it's located in your appdata folder letsencrypt/log/letsencrypt

image.png.3d7b29e2da6dfc47596719c26f586a62.png


there is no log?
 

And yes I can ping my duckdns domain and it shows my ip.

 

could it be a permissions thing?
it made a couple folders as root:

image.png.d1059b247de1274e7213eec344da22ab.png

Edited by BelgarionNL
Link to comment
13 hours ago, BelgarionNL said:

cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=duckdns.org
SUBDOMAINS=CHANGED
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
[email protected]
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d CHANGED.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for CHANGED.duckdns.org
Performing the following challenges:
http-01 challenge for CHANGED.duckdns.org
Waiting for verification...
Challenge failed for domain CHANGED.duckdns.org
http-01 challenge for CHANGED.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: CHANGED.duckdns.org
Type: connection
Detail: Fetching
http://CHANGED.duckdns.org/.well-known/acme-challenge/wkC33SQDnnXlUZuzXOIm63eO2kVOV1QUvw5tmZahyA0:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I used an nginx container with the same ports and its shows the default nginx page so its not pfsense.


Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: [email protected]

image.thumb.png.2108c664b39e4d29db4d73aadf8161ac.png

 

I have been mucking about with changing from proxynet to host in swag itself.

Is there a limit on how many times you can do this regarding getting new certs?

 

ow and everything has been running great this week since I installed it on monday.

I am just asking if there is limitation ,DDOS protection or I dunno. something that would explain why now its not working :)

 

any help is appreciated greatly. its been a frustrating 6 hours so its time for bed.

Your URL is not duckdns.org, it's your_user.duckdns.org. You don't own duckdns.org.

Link to comment

Hey, I just converted my UnRaid server from letsencrypt to SWAG.  For some reason when I left click and select the WebUI for SWAG I get "this site can't be reached".  Everything was working until I installed the SWAG docker.  
 

Now I can't get to the WebUI and I am failing the check to get a certificate. I am unable to access https://<serverIP>:<sslport>

 

Link to comment
1 hour ago, BelgarionNL said:

 

image.thumb.png.e18c7417f1a54839e686341cb2ad742e.png

 

domain1 being my subdomain I created on the duckdns.org website.

 

I followed the video:

image.thumb.png.26391da8e8da4a3d3db7b60f3080e038.png

It's still not correct even though you followed a guide. You do not own duckdns.org. you "own" blahblahblah.duckdns.org, so add that to domain name. Subdomains will be subdomain.blahblahblah.duckdns.org.

Link to comment
12 hours ago, BTPBen said:

Hey, I just converted my UnRaid server from letsencrypt to SWAG.  For some reason when I left click and select the WebUI for SWAG I get "this site can't be reached".  Everything was working until I installed the SWAG docker.  
 

Now I can't get to the WebUI and I am failing the check to get a certificate. I am unable to access https://<serverIP>:<sslport>

 

 

If it's trying to get a new cert, you have not managed to use the same appdata folder as you did for letsencrypt.

Link to comment
2 hours ago, saarg said:

It's still not correct even though you followed a guide. You do not own duckdns.org. you "own" blahblahblah.duckdns.org, so add that to domain name. Subdomains will be subdomain.blahblahblah.duckdns.org.

 

except with duckdns its blahblahblah.duckdns.org and subdomain.duckdns.org.

 

anyhow I got fed up so got my own domain + cloudflare dns verification and now it works.

 

I still think it was my ISP blocking something after I was messing around with it too long.

 

thanks for all the help!

Edited by BelgarionNL
Link to comment
47 minutes ago, BelgarionNL said:

 

except with duckdns its blahblahblah.duckdns.org and subdomain.duckdns.org.

 

anyhow I got fed up so got my own domain + cloudflare dns verification and now it works.

 

I still think it was my ISP blocking something after I was messing around with it too long.

 

thanks for all the help!

No it's not.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.